Contents

Which one?

Neither rkhunter nor chkrootkit are necessarily better than the other and can easily be run at the same time, giving added defence measures and peace of mind.

As with chkrootkit, rkhunter is not an active defence method. It does not prevent exploits being placed on your Server but it will inform you if there is a suspected exploit. Again, as with chkrootkit, if you have been exploited then the only real option is to reinstall with a fresh image.

If you want to skip the interactive mode, add the -sk option at the end:

sudo /usr/local/bin/rkhunter -c -sk

To see other options available for use:

sudo /usr/local/bin/rkhunter

Configuration

You may have configured your Server in a way that triggers warnings from rkhunter.

Firstly, I would say listen to what it says and decide if you really need something that is a security risk and, secondly, if you do want the risk, there are ways of configuring rkhunter so it ignores certain things.

Here's an example. Let's say I ran rkhunter and got this message:

Checking for allowed root login... Watch out Root login possible. Possible risk!
info: "PermitRootLogin yes" found in file /etc/ssh/sshd_config
Hint: See logfile for more information about this issue

That's fairly straight forward: I left the "PermitRootLogin" set to "yes" in my sshd_config file.

Now we know that's a silly thing to do and it's a nice reminder to tighten up our SSH configuration.

But let's say we do want to enable root logins via SSH but don't want a warning every time we run rkhunter.

Enter /usr/local/etc/rkhunter.conf. Open it up:

sudo nano /usr/local/etc/rkhunter.conf

Scan down until you reach this line:

#ALLOW_SSH_ROOT_USER=0

Uncomment the line and change the 0 to a 1

ALLOW_SSH_ROOT_USER=1

Now when we run rkhunter there are no highlighted warnings and this message: